Cloudmark Security Blog

DNS Tunneling (Ab)Uses

Abuse of global DNS infrastructure for the purpose of distributed denial-of-service (DDoS) attacks on various Internet services has been a hot topic in the news for some time now. But there is another unintended use of DNS that can be exploited for a wide range of purposes: DNS tunneling. These purposes can range from benign to dubious to outright malicious.

For example, some botnets such as Feederbot and Morto use DNS requests and TXT record responses to communicate with command and control servers. DNS tunneling also provides a convenient avenue for bypassing a network’s protocol and application-level restrictions. Researcher’s have shown that it could be possible to exfiltrate the results of SQL injection via DNS tunneling− sneaking past monitoring to subvert data leak prevention measures and avoid triggering alarms.

VPN and popular tunneling services such as Iodine have both good and bad uses. For example, these can be used to exfiltrate sensitive information from an internal network, which has no DNS protection. But political activists can use them to avoid state-level content censorship. Wi-Fi hotspots often impose paywalls to support the service, which a user can often circumvent using DNS tunneling, accessing the Internet for free. Even some mobile operators are guilty of forcing their customers’ traffic to tunnel over DNS to avoid paying termination fees. Various security services and anti-virus programs use DNS to look up signatures – a benign use of the DNS infrastructure as a distributed database rather than a name resolution service.

These unconventional uses of DNS may have a noticeable impact on the infrastructure. While investigating the traffic at a major ISP in Asia, we saw an average of 0.5 queries per IP per minute. A single user running a DNS tunneling package, like Iodine would generate 17056 queries in that same window, 3273 times the norm. If one in a thousand users were tunneling over DNS, the traffic from this 0.1 percent would amount to over 13.4 million extra queries, increasing the total volume of queries more than 3.27 times.

These uses and abuses of DNS are commonplace today and going to grow in the future. Without technology to control DNS traffic and protect networks, network owners could suffer harm and the infrastructure could be put at risk. For a deeper dive into DNS tunneling, please see our new DNS tunneling whitepaper.